Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "View privileges"] [Next entry: "Alex Kornbrust has today released 3 new Oracle security advisories"]

Tom talks about direct dictionary editing



I was reading Tom's blog entry for yesterday last night titled " http://tkyte.blogspot.com/2005/04/birth-of-asktom.html - (broken link) The Birth of Asktom and it got me thinking about some of the security aspects of what he had written. As you may have guessed the blog entry discusses the events that lead to Tom creating his AskTom website, one of these was a tip in an edition of oramag that suggested that it was OK to update the data dictionary directly to rename a column in an 8i version. 9i introduced the rename column command. Tom was obviously not impressed with this.

I have also seen posts on newsgroups from time to time that suggest updating the dictionary directly. This is a bad idea. But the reason I was interested in Tom's post is that I have seen it done but for nefarious reasons not just because of trying to get around the lack of a feature. I know that Alex Kornbrusts Company has released a tool (repscan) that detects just this kind of activity, i.e. direct editing of the data dictionary. If you cannot guarantee the integrity of the data dictionary then you are in trouble.